package com.vci.ubcs.gateway.filter;

import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/**
 * 网关过滤器，拦截明确的攻击特征
 */
public class EssentialSecurityFilter implements GlobalFilter {

	@Override
	public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
		ServerHttpRequest request = exchange.getRequest();
		String path = request.getPath().value();

		// 只拦截最危险的请求
		if (isDefinitelyDangerous(path)) {
			return blockRequest(exchange, "危险请求被拦截！");
		}

		return chain.filter(exchange);
	}

	private boolean isDefinitelyDangerous(String path) {
		// 只拦截明确的攻击特征
		return path.contains("../") ||
			path.contains("/WEB-INF/") ||
			path.matches(".*\\.(jsp|war|sh|bat|exe)$") ||
			path.contains("cmd.exe") ||
			path.contains("/bin/");
	}

	private Mono<Void> blockRequest(ServerWebExchange exchange, String message) {
		exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
		return exchange.getResponse().setComplete();
	}

}